Software project managers have limited project resources. Requests for security improvements must compete with other requests, such as for new tools, more staff, and additional testing. Deciding how and whether to invest in cybersecurity protection requires knowing the answer to at least two questions: What is the likelihood of an attack, and what are the likely consequences of an attack? This article explores how answers to these questions have been sought and what obstacles lie in the way of understanding the answers. The authors discuss the need for data available to inform management decisions about cybersecurity investment, then examine models supporting decisions about trade-offs between investment and protection. Finally, they present a framework for comparing and contrasting economic models, so that project managers can make effective decisions about security. This article is part of a special issue on Security for the Rest of Us.